Towards Communication-Efficient Quantum Oblivious Key Distribution 
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Oblivious Transfer, a fundamental problem in the field of secure multi-party computation is 
defined as follows: A database DB of N bits held by Bob is queried by a user Alice who is interested 
in the bit DBb in such a way that (1) Alice learns DBb and only DBb and (2) Bob does not learn 
anything about Alice's choice b. While solutions to this problem in the classical domain rely largely 
on unproven computational complexity theoretic assumptions, it is also known that perfect solutions 
that guarantee both database and user privacy are impossible in the quantum domain. 

Jakobi et al. [Phys. Rev. A, 83(2), 022301, Feb 2011] proposed a protocol for Oblivious Transfer 
using well known QKD techniques to establish an Oblivious Key to solve this problem. Their solution 
provided a good degree of database and user privacy (using physical principles like impossibility 
of perfectly distinguishing non-orthogonal quantum states and the impossibility of superluminal 
communication) while being loss-resistant and implementable with commercial QKD devices (due 
to the use of SARG04). 

However, their Quantum Oblivious Key Distribution (QOKD) protocol requires a communication 
complexity of 0(N log N). Since modern databases can be extremely large, it is important to reduce 
this communication as much as possible. 

In this paper, we first suggest a modification of their protocol wherein the number of qubits 
that need to be exchanged is reduced to O(N). A subsequent generalization reduces the quantum 
communication complexity even further in such a way that only a few hundred qubits are needed 
to be transferred even for very large databases. 

PACS numbers: 



I. INTRODUCTION 

Impressive progress has been made over the last two 
decades in our understanding of how Quantum principles 
can be used to secure communication between trustful 
parties against eavesdropping. For example, Quantum 
Key Distribution (QKD) techniques have gained steadily 
in technical applicability. However, in the more gen- 
eral field of secure multi-party computation, which com- 
prises tasks such as Coin Flipping and Bit Commitment 
and normally implies communication between distrust- 
ful parties, only a few quantum alternatives to classical 
schemes have emerged. One of the most fundamental 
problems of this type is Oblivious Transfer (OT), also 
known as Symmetrically Private Information Retrieval 
(SPIR) . This task is complete for secure multi-party com- 
putations in the sense that all other tasks may be con- 
structed from it [lj. Originally introduced in two different 
flavors by Rabin [2[ in 1981 and by Even, Goldreich and 
Lempel [3| in 1985, which were shown to be equivalent 
by Crepeau Q, the problem of l-out-of-2 OT requires 
Bob to send two bits to Alice such that (i) Alice gets to 
receive only one bit - she cannot get significant informa- 
tion about the other - and (ii) Bob does not get to know 
which bit Alice received, i.e. he is oblivious to what she 
learns. The problem of 1-out-of-N OT is a generalization 
of the l-out-of-2 OT: Bob hosts a database DB of N bits. 
Alice wishes to retrieve the value of a certain bit, say the 
b th , from the database. Privacy has to be preserved sym- 
metrically: Bob should not get to know which bit Alice 



is interested in (that is, in this case he should not get to 
know b); at the same time, Alice should not get to know 
the value of any other bit in the database that she has 
not queried for. 

It is interesting to note that this task may accom- 
plished by precomputing an "Oblivious Key" [B[ : a string 
OK of N random bits that is (i) completely known to Bob 
while (ii) Alice knows only one bit OKj of this string, with 
Bob being oblivious to j. Once such a key is established, 
it can be used to complete the actual OT: Alice being in- 
terested in the database element DB\> announces a shift 
s = j — b to Bob. Thus, Bob gets to know neither j nor 
6, but only s. Bob then encrypts the database bitwise as 
DB' a = XCR(DB ai OK a+s ), 1 < a < N, and announces 
the encrypted database DB' . From this, Alice recovers 
the bit that she wanted: DB b = XOR{DB' b , OKj) and the 
OT is complete. 

There exist several approaches in the classical realm to 
SPIR and OT (see e.g. (H-SIB])- Existing classical proto- 
cols for these problems depend on some unproven com- 
putational complexity theoretic assumption like nonexis- 
tence of efficient algorithms for integer factoring. More 
recently, classical approaches have been complemented 
by several quantum protocols. However, they have been 
subsequently shown to be inadequate because of suscepti- 
bility to different attacks Q , or practical difficulties . 

A result of Lo (Io| put a damper on the quantum ef- 
forts. He showed in 1996 that an ideal solution cannot 
exist even in the quantum world - any protocol that 
guarantees perfect concealment of b against Bob actu- 
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ally leaves the database completely vulnerable to attacks 
by Alice. 

Since then, several workarounds have been proposed 
(see e.g. ll|), albeit with some vulnerabilities. Recently, 
Jakobi et al. [Hj made interesting progress by propos- 
ing a protocol that circumvents the impossibility proofs 
at the cost of perfect concealment. Their protocol relies 
on well known QKD techniques to establish an Oblivious 
Key between Alice and Bob that fulfills the OT require- 
ments to a large extent while being consistent with Lo's 
proof. Therefore, we refer to their approach as Quantum 
Oblivious Key Distribution (QOKD). 

The QOKD protocol offers good database security as 
well as user privacy and has been shown to be resilient to 
several attacks. However, some problems remain in the 
communication complexity of their solution. A transfer 
of the N qubits is costly in itself, as modern databases are 
extremely large. The QOKD protocol involves transfer- 
ring in addition at least kN qubits, where k is a security 
parameter. It turns out that Alice will on an average get 
to know about N(j) k bits of the database. Therefore, 
unless k also increases with N , the number of bits that 
become known to Alice in addition to the one she is sup- 
posed to know increases with N. By the same coin, if it 
is required to keep this number a constant, k will have 
to rise at least logarithmically with N. 



A. This Paper 

In this paper, we first suggest a modification of the ini- 
tial QOKD protocol wherein the number of qubits that 
need to be exchanged is reduced to N. We then investi- 
gate the impact of the modification on database security 
and user privacy. Subsequently, we show that the modifi- 
cation can be generalized to reduce the required quantum 
communication complexity even further. We show sim- 
ple numerical examples of the generalization indicating 
that at most a few hundred qubits are sufficient even for 
extremely large databases. 

This paper is arranged as follows. The next section 
gives a brief account of the QOKD protocol of Jakobi et 
al • In section III we discuss its modification, analysis 
and generalization. Section IV concludes the paper. 



II. THE INITIAL QUANTUM OBLIVIOUS KEY 
DISTRIBUTION PROTOCOL 

A. Brief Sketch 

The QOKD protocol for SPIR proceeds in three 
phases: First, a key is established between Bob and Al- 
ice using the SARG04 i:i Quantum Key Distribution 
(QKD) protocol. In the second phase, this key is pro- 
cessed to produce an oblivious key OK, a string of N bits. 



While Bob has complete knowledge of this oblivious key, 
Alice knows only a few bits conclusively. Note that this 
OK is not perfect and therefore does not contradict Lo's 
impossibility proof. In the final phase, the oblivious key 
OK is used to classically encrypt the database so that 
Alice can learn the bit that she is interested in. 

First phase: In contrast to BB84, the SARG04 QKD 
protocol uses the basis to encode a bit. For example, 
let the "up-down" basis £ encode bit value and "left- 
right" basis encode 1. The protocol would then use the 
four states |f), and |«-), with |(t|^)| 2 = § etc. 

To establish one bit of the key, Bob prepares one of these 
states and sends it to Alice. He then announces the sent 
state and one of the other basis. For instance, to send 
0, Bob can prepare the state |f) and announce the pair 
{It) 1 1^)}- Alice then has to determine whether Bob 
sent |t) or |— >). A simple way to do this is to measure 
the received state in one of the two bases and hope for a 
result that will exclude one of the announced states. 

In the example above, measuring in left-right basis will 
yield the result |<— ) with probability 1/2, which excludes 
the announced state |— >}. This allows Alice to conclude 
that the state sent by Bob must have been A mea- 
surement in the up-down-basis would never yield a con- 
clusive result as the only possible result is 

Since Alice chooses the correct basis half of the time 
and then obtains a conclusive result with probability 1/2, 
the overall probability of having a conclusive result is ^ 
in SARG04. Therefore, Alice will know only a quarter 
of the sent bits with certainty; the values of the rest are 
inconclusive. Indeed, a "bit" can now also have the value 
"inconclusive" in addition to or 1. 

To proceed with the extraction of the oblivious key 
OK, all sent bits are kept for the second phase. Note 



that this procedure is completely loss-independent [14 j . 

Second phase: The steps of the first phase are re- 
peated until a raw key R with elements {qi}, i = 1 . . . kN 
is established. Alice will know the values of ^j- bits of R 
conclusively, while Bob knows all. The problem now is 
to extract (from the raw key R) an oblivious key OK, a 
string of N bits completely known to Bob but of which 
Alice only knows a few elements. To that end, we form 
N groups of k qubits each. The elements of the oblivious 
key OK are then defined as the XOR of the N groups: 
OK 3 = XCR(q k .j,q k . j+1 ,...,q k . j+k - 1 ) for 1 < j < N. 
Therefore, even if one of the bits is inconclusive for Al- 
ice, her evaluation of XOR will be inconclusive. If Al- 
ice conducts her measurement as described in phase I, 
the probability that Alice knows all the bits of a group 
conclusively and can therefore compute the parity of the 
group is (j) k - Finally, she will know on average N(j) k 
elements of the oblivious key OK conclusively, k should 
be chosen such that Alice knows on average only a small 
number c of key bits, i.e. k — log 4 (2V/c). With a prob- 
ability of e~ c Alice is left with no known bit of OK and 
the protocol must be restarted. 
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Third phase: After completion of the second phase, 
an oblivious key OK is established such that on average c 
bits are known to Alice, while Bob knows OK completely. 
This key is used to bitwise encrypt the database DB en- 
suring that Alice obtains little information besides the bit 
she is interested in. Supposing Alice knows the bit OKj 
of the key and is interested in DBt,, the b th bit of DB, she 
communicates the shift s = j — b to Bob. As described in 
the introduction, Bob then encrypts the database bitwise 
as DB' a = X(M{DB a ,OK a+s ), 1 < a < N, announces 
the encrypted database DB' , and Alice recovers the bit 
that she wanted: DB b = XQR(-DB£, OKj). If {/} are 
the indices of the c — 1 other bits in OK that she learns 
conclusively after phases I and II, she can also get to 
know some more bits DBb' = y>OR(DB' b ,,OKji) of the 
database. However, the {j 1 } are randomly distributed in 
the OK and will generally not allow Alice retrieving a 
second bit of interest to her. 



B. On the Security of Quantum Oblivious Key 
Distribution 



Jakobi et al [12j provide interesting arguments for the 
security of their QOKD scheme, while studying the most 
obvious attacks directly. Like all quantum SPIR proto- 
cols, QOKD cannot offer perfect security for both sides 
but exploits a trade-off between database security and 
user privacy. 



12] 



Database security: At the outset, Jakobi et al 
let us know that the above protocol actually provides 
Alice with information on inconclusive bits, too. In the 
example of phase I, Alice measuring Bob's sent state |f) 
in the up-down basis will never yield a conclusive result 
as it is not possible to rule out any of the two announced 
states {|t) , |— !•)}■ However, with this measurement, Al- 
ice will always find the state Having chosen the same 
measurement basis as Bob used for state preparation, Al- 
ice will always find his sent state "inconclusively". As 
this happens half of the time, and as the other inconclu- 
sive result (|— >) in the example) is found with only i, 
Alice has indeed a guess on which state Bob had sent. 
By assuming her "inconclusive" outcome is actually the 
state he had prepared, she will be correct about the bit 
value with likelihood |. This partial information will 
be washed out during the extraction of the OK in such 
a way that in a group where Alice measures all but x 
bits conclusively, she will guess the key bit correctly with 
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X > 1. 



While analyzing the protocol's security, one must as- 
sume in general that Alice has a quantum memory at 
her disposal and is able to postpone her measurements 
until after Bob's SARG04 state pair announcement. She 
then knows that her measurement must distinguish, for 
instance, the states |f) and |— >} in order to decipher the 
sent bit. It can then be shown that Alice can perform 



an unambiguous state discrimination (USD) measure- 
ment which is successful with a probability of at most 
Pusd = 1 - F(\\) , |->-)) = 1 - 1/a/2 « 0.29, where F is 
the fidelity. If Alice measures each received qubit individ- 
ually, this attack is optimal and Alice will have on average 
0.29iV conclusive qubits instead of 0.257V before starting 
phase II of the protocol. However, this fact has only 
limited impact as it will increase the number of key ele- 
ments known to Alice by only (^f§§-) ~ (1.16) , where 
typically k < 10. 

Instead of performing individual measurements, Alice 
can also perform a joint measurement on k qubits in or- 
der to directly measure their overall parity. This way, she 
directly measures the associated key bit without using 
individual bit values. Jakobi et al [12| show that the suc- 
cess probabilities for USD as well as Helstrom maximal 
information gain measurements on fc-qubit states decline 
rapidly with increasing k. Therefore, Alice's knowledge 
on the final key is physically restricted by the impossi- 
bility to perfectly discriminate the non-orthogonal states 
used for encryption of the key elements. 

User privacy: Jakobi et al. [12] argue that Bob is 
able to obtain limited information on the conclusiveness 
of Alice's bits but will then lose information on which 
bit value she has actually measured. He will thus in- 
troduce errors. For example, sending \/ A ) or \^/) while 
announcing a pair {f, — >} will yield a probability for Al- 
ice to measure conclusively of p_ = i — 0.15 or 

\ + sa 0.85, respectively. This turns out to be 
optimal - Bob can bias the conclusiveness probability p 
for Alice's qubits within the limits p- < p < p+. At the 
same time, sending or \^/) will obviously not give 
Bob any information on the result of Alice's measure- 
ment. In fact, Bob cannot know the measurement basis 
Alice chose, which implies that it is impossible for him 
to have both increased information on her conclusiveness 
and full information on the bit value she measures (if 
conclusive). Every manipulation will hence create errors 
in the oblivious key. 

These characteristics are a consequence of the use of 
non-orthogonal states in SARG04 and the no-signaling 
principle. As a consequence, the protocol exploits fun- 
damental physical principles to ensure database security 
and user privacy while allowing small additional informa- 
tion gains for both sides thus preventing a conflict with 
Lo's impossibility proof. 



C. The Problem of Efficiency 

The number c of bits revealed to Alice at the end of 
SARG04 and XORing of the N groups of k bits is on aver- 
age N(^) k . Thus, unless k increases with N, c would also 
increases with N. In particular, k needs to increase at 
least logarithmically with N to ensure that c remains con- 
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stant and quantum communication complexity is there- 
fore 0(N log N). Given the size of modern databases 
(which run into petabytes), such an increase should be 
avoided as this would be far too costly for the communi- 
cation of only one bit to Alice. 

We now show that it is possible to reduce the required 
quantum communication complexity, first to O(N) and 
subsequently even below, while maintaining the proto- 
col's security. 
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7 


9 


11 


13 


At least 


one 


81 


98 


95 


86 


79 


Average p 


= 0.25 


2.37 


6.5 


4.09 


2.45 


2.17 


Average p 


= 0.29 


6.46 


18.9 


15.45 


13.42 


15.74 



TABLE I: Simulation over 100 runs of the modified QOKD 
protocol with database size N. "Average" denotes the average 
number of survivors and "At least one" denotes the number 
of runs that have at least one survivor. 



III. THE ROAD TO 
COMMUNICATION-EFFICIENCY 

A. The Modified Protocol 

We propose modifying the second phase of the above 
protocol in such a way that every element of R is replaced 
by the XOR of its current value with the values of the k—1 
elements immediately following it. The last element is 
replaced by the XOR of its current value with the value 
of the first elements. 

Then, the modified protocol is as follows: 

• Let R be the raw key after execution of SARG04 
for N bits. Then, while Bob knows the entire R, 
on average three quarters of the elements of R are 
inconclusive at Alice's end. 

• Define the elements of OK as follows: OKj = 
XOR(g J ; . . . , Qj+k-i) for j = 1 . . . N (with q N+x := 
q x for 1 < x < k — 1). 

• If no bit survives at Alice's end, repeat the above 
two steps. 

• Continue with the steps of the third phase for 
database exchange and verification. 

The modification that we have just described requires 
a quantum communication complexity of N and is based 
on the following observations. 

Suppose we have a coin that shows head with probabil- 
ity p and tails with probability 1—p when tossed. It is a 
folklore theorem that when such a coin is tossed N times, 
the length of the longest streak of heads is 0(log x / p N) 
with high probability [l5j |. 

The analogue of a streak of heads in coin tosses is 
a streak of conclusively known bits at the end of the 
SARG04 protocol for N qubits. Tails would therefore be 
analogous to the inconclusive bits. 

We will now argue that with high probability, the ex- 
pected number of times such a maximum length streak 
occurs is 0(1). Let a bit be conclusively revealed to Alice 
with probability p. Then, the probability of a contigu- 
ous streak of conclusively revealed I bits is p l . Let Xu 
be the indicator random variable that takes the value 
1 if a streak of length I starts at position i in the key 



and otherwise. Thus, Xi — X^ =1 Xu is the random 
variable that counts the number of streaks of length I in 
the key. By linearity of expectation, the expected num- 
ber of streaks of length I is J2iLi E[Xu}- Given that 
Pr[X u = 1] = p l , we have E[X{\ = Y,i=\P l - That is > 
E[X{\ = Np l . For / = log 1/p AT, we have E[X t ] = 1. 
Moreover, by Markov inequality, the probability that the 
number of such streaks exceeds some t is at most 



e\x. 



For instance, if we take p — \ 



t ■ 

and I = k = log 4 (JV/c), 
we find E[Xk] = c. That is, the above procedure 
will yield on average c streaks of length k, where k = 
log 4 (iV/c) as in the original QOKD protocol. Finally, by 
Markov inequality, the probability that the number of 
such streaks exceeds E[Xk] m = c m , for any m > 1, is at 
most J_ t . 



In other words, it is likely that (i) there is at least one 
streak of length k in the key, (ii) there is only a small 
number c of streaks of length k, and (iii) every other 
streak in OK is less than k in length. 

We report in table U simulations that justify the pro- 
tocol. As pointed out by Jakobi et al. 12j, even with 
a quantum memory, Alice can conclusively obtain only 
about 0.29 of the bits after execution of SARG04 (the 
first step of the protocol). For this reason, and in contin- 
uation of our running example, we run the simulations 
on p = j and p = 1 — ^= respectively with the same k 
for both. 



B. On the Security of the modified protocol 

The security considerations of [l2| presented above 
largely apply to the modified protocol as well as the 
changes only concern the post-processing and extraction 
of the oblivious key. 

Database security: If Alice has a quantum mem- 
ory at her disposal, she is able to postpone her mea- 
surement after the state announcement of Bob during 
the SARG04 phase. As discussed before, when mea- 
suring each received qubit individually, this attack is 
optimal and directly covered by the considerations on 
the likelihood of conclusive streaks in section IIII Al us- 
ing pusd = 0.29 instead of p = 0.25. The impact is 
precisely as before an increase in known key bits for Al- 
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ice by a factor of ( § ) " ~ (1.16) fe . However, while 
individual key bits are as hard to extract as in the 
initial protocol, the modified version offers less protec- 
tion with respect to the relative parities between key 
bits. The difference between two consecutive key bits 
OKj and OKj+\ consists in the substitution of the qubit 
q 3 by q j+k , i.e. OKj = XDR(gj, q j+ i, qj+k-i) and 
OK j+ i = XOR{q j+ i,q j+2l -,q 3 +k-i,qj+k), where the g, 
are the bit values corresponding to Bob's sent states. The 
parity of OKj and OKj+\ is revealed upon successful mea- 
surement of qj and qj+k- We note hence that the reduc- 
tion in communication complexity comes at the cost that 
parity information is easier to obtain. 

With respect to joint measurement, the new as- 
pect in the modified protocol is that each qubit 
contributes to k different key elements. Looking at 
a key bit OKj = XOR(<7j, qj+i, .., qj+k-i), we can 
assume without loss of generality that Bob announces 
for all k qubits a SARG04 pair of {t,->}- The ini- 
tial state before Alice's measurement of OKj is then 

Pk = ^'ij^at) {% + 1-0 H,)- Alice now per- 
forms a joint USD measurement on pk in order to 
retrieve OKj directly. This USD measurement can 
either be conclusive or non-conclusive, with conclusive 
results being increasingly unlikely with higher k 12 1. 
In case of a conclusive outcome, Alice will know the 
overall parity OKj of pk, and the state after the measure- 
ment is given by all possibilities with parity OKj : p^ Kj — 

2S=T ExeR(gj V .,gj +fc _i)=QfCj "* ' Qj+k-l) \Qj> — >9j+fc-l|- 

Assuming Bob announced a SARG04 state pair {f, — >}, 
\qi) should be read as |<& = 0) = |t) and |t& = 1) = |— »); 
that is, the states are not orthogonal. Alice can 
now try to determine the parity of the next key 
element OKj+\ — XOR,(<£j+i, .., qj+k-i, Qj+k)- Since 
all but one of these qubits are part of p k K ° , re- 
alizing the measurement of OKj+i implies tracing 
out the qubit qj from p° K] , which simply yields 

TrjpT 3 = 3^®£?+i (It) <TU + K) H*)> the initial 
SARG04 state before measurement for a k — 1 qubit 
state. All parity information is hence erased from this 
sub-state and measuring OKj+i is exactly the same 
(difficult) task as measuring OKj. 

Now we consider the case of Alice's joint USD measure- 
ment being inconclusive. Per definition, the parity of the 
k qubits' ensemble is lost and can no longer be retrieved. 
That is, depending on the concrete design of the mea- 
surement, at least one of the k qubits must have lost its 
bit value information and can no longer be used to define 
other key elements. As each qubit contributes to k differ- 
ent key elements, Alice's failed joint USD measurement 
of a single key element renders in fact the decoding of k 
key elements impossible. In this sense, our modification 
can indeed increase database security. 



fectly distinguishing non-orthogonal quantum states and 
superluminal communication. These remain valid for the 
modified protocol as well. In particular, we remind the 
reader that Bob has no measurement that would allow 
him learning both conclusiveness and Alice's bit value in- 
formation. Our first observation is that by manipulating 
the conclusiveness of a single qubit qi, Bob will impact 
the conclusiveness probability of the k key elements that 
use qi. However, the same is true for the error he in- 
troduces which also affects k key elements and becomes 
hence easier to detect. A possible strategy for Bob to 
narrow down Alice's conclusive bits is to increase the con- 
clusiveness of a (contiguous) part of his sent qubits while 
reducing it for the rest. Remembering that p+p- = \, 
increasing the conclusiveness oip-N qubits to p+ while 
reducing the conclusiveness of the remaining p+N qubits 
to p_ will maintain Alice's statistics of conclusive bits in 
R. Neglecting border effects, these two parts can be seen 
as independent strings on which the results of section 
MI Al can be applied. For the number of streaks of length 
k one finds E + = p_Np + and E- = p+Np't. It follows 

that = (j^- \ > 1. Therefore, Bob knows that the 

conclusive bit, which Alice will use to code the database 
element she is interested in, will lie with a high proba- 
bility of E E _^ E in the high conclusiveness part of OK. 
However, we note the following observations: (1) Bob's 
knowledge remains considerably limited as p~N w O.lbN 
key elements are still equally likely, (2) Bob does not 
know a single bit of the final key correctly and will thus 
give completely random answers during the third phase, 
and (3) Alice will have significantly more strings of length 



k than expected since E+ ^> N 1 



which should make 



User privacy: The fundamental arguments of [12 1 
for user privacy were based on the impossibility of per- 



her more than suspicious. Indeed, as the protocol is both 
linear in p (number of conclusively measured qubits) as 
well as non-linear (number of streaks of length k), Bob 
altering the conclusiveness of qubits systematically will 
easily show in Alice's statistics. 



C. Generalization 

In the present modification of the QOKD protocol, a 
bit of the final key is defined as the parity of a streak of k 
qubits OKj = XOR(gj, Qj+i, qj+k-l)- The reduction in 
communication complexity arises from the re-utilization 
of each qubit as a contributing element for k bits of the 
final key, i.e. qubit qj is used in the definition of the key 
bits OKj-k+i to OKj. This idea can be generalized in 
order to further reduce communication requirements: Let 
us assume phase I of the QOKD protocol is performed 
until M < N qubits are distributed to Alice. In order to 
define the elements of the oblivious key, we now consider 
all possible combinations of k out of these M qubits. This 
allows to extract a key of length (^) as each combination 
constitutes an independent parity functions of k qubits 
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N > 10 s 




41 


29 


23 


21 


20 


k 


4 


5 


6 


7 


8 


Average 


397 


131 


46 


28 


19 


No bit 


3.8% 


11.5% 


46.8% 


74.4% 


89.8% 





N > 10 10 




71 


58 


50 


45 


42 


k 


8 


9 


10 


11 


12 


Average 


162531 


41833 


11714 


4094 


1876 


No bit 


1.2% 


2.9% 


16.4% 


40.9% 


64.9% 



TABLE II: Calculated examples for generalized QOKD of 
databases of size 10 5 and 10 for different combinations of 
quantum communication complexity M and security param- 
eter k. "Average" denotes the average number of survivors 
conditioned on cases with at least one survivor and "No bit" 
the probability for no survivors. 



in the sense introduced by our modified protocol. As 
such, by considering all these possible definitions of key 
bits, the minimal quantum communication complexity 
required for a A^-bit database is given by ( > N. 

Table |TT] provides some numerical examples of the im- 
pact of the discussed generalization. As can be seen, in 
this generalization, there is a certain freedom in choos- 
ing M and k. While high k and small M will increase 
database security but also increase the abortion prob- 
ability, low k and high M achieve the opposite. Even 
for huge databases, the required quantum communica- 
tion complexity can be reduced to under 100. 

However, the small number of exchanged qubits gives 
rise to generally poor statistics making statistical anal- 
yses somewhat unreliable. Also, as this generalization 
presents an extreme case of re-using qubits for key def- 
inition and hence for reduction in quantum communi- 
cation complexity, it does not come as a surprise that 
security is considerably less tight. Whereas in the initial 
and in the modified protocol a small constant number of 
database bits c = Np k was revealed to Alice on average, 
the generalized protocol provides Alice with significantly 
more bits, especially if the abortion probability should be 
low (pM > k). For instance, if Alice measures k + x of 
the M qubits conclusively, she is able to calculate ( k ~l x ) 
key elements. Additionally, even when Alice measures 
only exactly k qubits conclusively and can hence only 
calculate one single key bit, she is still able to calculate 
parities between many key elements. As such, the gen- 
eralized protocol provides only little database security. 
Fortunately, the protocol is sufficiently cheap to be re- 
performed a couple of times, which allows to completely 
re-establish database security as we will see in the next 
section. 



D. Enhancing database security 

It is possible to significantly enhance database security 
by re-performing r times either of the presented vari- 
ants of QOKD as follows: in each of the r rounds an 
oblivious key is generated, OK l ,i — l...r. To obtain 
the final key OK^ n , Alice is asked to combine these r 
keys bitwise with relative shifts Si she can freely choose: 

r 

OKf n = OK™ +Sm . This final key is then used to 

m— 1 

encrypt the database as described in phase III of the 
original protocol. This procedure serves the following 
purpose. Using QOKD to generate the r oblivious keys 
ensures that Alice only has partial knowledge on each of 
them. Therefore, combining them will further reduce her 
knowledge on the key while the free choice of the offset 
ensures that Alice always retains at least one element 
of the sum string. For instance, let us look at the first 
case of tabic [TT] with r = 2: Alice generates two keys of 
10 5 bits, of which she knows 400 conclusively each. It 
is important to remember that these bits are randomly 
distributed over the key strings. As such, just combin- 
ing these strings without choosing the optimal offset will 
yield on average 1.6 remaining conclusive bits. Numeri- 
cal simulations show that by selecting the optimal offset, 
Alice will be able to retain on average 9.7 known bits 
of the sum string. Obviously, r = 3 will further reduce 
Alice knowledge. In principle, choosing a large r will al- 
most guarantee that Alice retains one and only one bit 
in the end [l6j]. Note that this procedure will also erase 
parity information that Alice can gather in the protocols 
proposed in this paper. 

The presented "dilution process" can obviously obvi- 
ously ensure adequate database security and allows hence 
to take full advantage of the achieved reduction in quan- 
tum communication complexity. 



IV. CONCLUSION 

We showed that the protocol proposed by Jakobi et al. 
can be modified to reduce the required quantum com- 
munication complexity without compromising its secu- 
rity and while maintaining its strength of loss-resistance, 
practical feasibility, and integrability with current QKD 
devices. As a consequence, it is now possible to bring 
very large databases into the scope of Quantum Obliv- 
ious Key Distribution. Moreover, the modified protocol 
is sufficiently cheap in terms of quantum communication 
complexity so as to construct approximate versions of a 
whole range of quantum cryptographic algorithms based 
on SPIR. As such, Quantum Oblivious Key Distribution 
can significantly add to what can practically be realized 
today in the realm of Quantum cryptography and, to- 
gether with QKD, it might well provide the basis for all 
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practical future applications of quantum cryptography. 
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